2nd question: any hints on the concept of ‘Priviliged Access Managament’ or ‘Just In Time’ access, in relation to cebos. Do your users have these time based concepts implemented by means of a conditonal time based derivedpolicy? So when requesting ‘temporary access’ to manage a resource, a acompanying temporary policy has to be added via Admin API?

That is certainly one way to do it - another option that allows your policies to stay static is to pass in the time window as an attribute of the user and then use the time conditions in the policies to grant access.

That one I don’t grasp completely? Do you mean storing a certain timewindow in the policy and sending the current time with the authZ request? Then evaluate whether the requested time falls into the window defined on the policy?

Something like this: Your principal object would contain attributes which define when access starts and ends

{
  "id": "sally",
  "roles": [
    "USER"
  ],
  "attr": {
    "accessStart": "2021-10-01T10:00:00.021",
    "accessEnd": "2021-10-02T10:00:00.021"
  }
}

Then in your policy you could have:

- actions: ["someAction"]
  effect: EFFECT_ALLOW
  roles:
    - USER
  condition:
    match:
      expr: now() > timestamp(request.principal.attr.accessStart) && now() < timestamp(request.principal.attr.accessEnd)